Add refresh token feature #23
Conversation
|
Hey @alvinchow86 this seems great! Still have to take a look at it closely, but really appreciate the work you've put into this and no doubt we'll get this merged. First thing, do you mind updating your fork with the latest from master which fixes failing tests from a recent change in DRF's compat module? Second, we'd definitely need some tests for this before merging. |
|
Cool, I'll definitely work on some tests. |
|
@simonluijk before merging this PR it needs some tests. |
|
sorry about the delay, I will try to push out some tests this week |
|
Any news on this? If there is need for extra pair of hands, I could help with this as I need the functionality... |
|
In the middle of writing tests, will push soon |
|
I just looked over the code, LGTM. A small nitpick is why are you using |
|
Added tests, mainly for the refresh token API endpoint. I didn't write ones for the serializer (some of which would be redundant with the API tests, but let me know if they are needed). Added a FYI I used |
|
Nice work. I didn't realize python-jwt used that. Ignore my nitpick then. |
|
Ah tests are failing on Python 2.6 and 3.2 but passing on 2.7.. guess I got to make some compatibility fixes |
|
@alvinchow86 very excited for this, you've done a tremendous job on it. I haven't checked the failing tests yet, but shouldn't be hard to get fixed. At a quick glance, I'm thinking there should be something simpler we could do regarding the Will try to take a better look when tests are passing and give any additional feedback if any. |
|
let me see if I can rewrite the tests without forcing the time |
|
@alvinchow86 where are you with this? I've got some time and I'd like to help however I can. |
|
was planning to wrap this up by today or tomorrow (sorry again for the delay) |
|
@alvinchow86 no worries, if there's anything you need help with or would like to discuss, let me know. |
|
I integrated @liamlin's Python 2.6 fix for total_seconds. The Python 3 issue had something to do with my overriding datetime with SimulationDateTime; I guess the isinstance() override doesn't work in Python 3. Anyway I rewrote the tests to not use the Travis now passes, I think this PR is ready. If you want I can squash the commits a bit. |
typo [refresh-token] Refactor renew token stuff, add jwt_get_user_id_from_payload_handler for custom user_id format [refresh-token] add tests for refresh token feature some more api checks
For Python2.6: fix non-existing total_seconds by converting datetime delta to seconds. For Python3: fix "datetime is not JSON serializable" issue by converting the delta datetime to unix timestamp first.
[refresh-token] cleanup
|
@alvinchow86 again, great work on this. Definitely looks good to me. I think before merging this PR we need to document the new settings as well as a usage example for it. |
Update README.md [refresh-token] add curl example fix
|
added documentation in README. one thing I just noticed is I mix terminology (refresh in the code and renew in the settings), is this OK or should I just pick one? |
|
@alvinchow86 we definitely should stick with only one, either refresh or renew. I'm more inclined towards probably using refresh. It'd also help to add a "scenario" in the Refresh Token part of the documentations. When would you want to use this and how might it fight into a real world scenario? I'd also love to know how you're using this. |
|
Fixed wording and added use case notes. The basic idea is to try to keep a user "logged in" while they are actively using a site, without having to necessarily make the token expiration too long either. You can have a web-app that periodically checks if the current token is close to expiring, and if it is, refresh the token to push out the "session"'s expiration |
|
Thanks @alvinchow86 I understand as the previous token will still be valid it is not necessary to suspend all requests while the new token is being fetched - the old token will still be valid (unless expired) after the new token is issued. |
|
@alvinchow86 I think we have another wording problem with the Would it help if it was called |
|
@jpadilla I agree the proposed name is better 👍 for |
|
makes sense, I renamed to |
|
@alvinchow86 I like |
|
done |
|
@alvinchow86 Thanks again! This has been this project's biggest PR so far. I'll give it a try once again. I'll also work on a Changelog and Contributors llist. Will update here when I release it to PyPI. |
|
Great work everyone 👍 |
|
Just released v1.0.0 which includes this and a couple other things. Thanks again to everyone that made this happen, specially @alvinchow86! 👍 |
|
@alvinchow86 any reason why we used |
|
|
|
@alvinchow86 got it, thought we had incorrectly named it and thought it was meant to just be |
Added an optional endpoint that can refresh a token. This can be useful for a webapp to try to keep a user logged in without having to re-enter their password constantly. Got the idea from this post https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/
Basically, if
JWT_ALLOW_TOKEN_RENEWALis True, then an extra fieldorig_iat(stands for original issue at time) is stored on the returned JWT token. You can then pass the token to theRefreshJSONWebTokenview, and iforig_iathasn't yet expired, you get a token with a refreshed expiration time (but with the sameorig_iat, so you can only do refreshes up to some time limit, specified inJWT_TOKEN_RENEWAL_LIMIT). Getting a brand new token (by passing in username/password) will return a completely neworig_iatthough.I also added a new handler,
jwt_get_user_id_from_payload, that lets you specify how theuser_idfield is stored. Since it's possible for the custom payload handler to change how the user id is stored, it seems to make sense to have a way to retrieve it too.Feedback welcome (there are some things that could probably be cleaned up). I didn't add tests yet but if there is interest in this PR I will write some (I did write a number of tests in my application that uses this, so I am reasonably confident it works).